CN108259438A

CN108259438A - A kind of method and apparatus of the certification based on block chain technology

Info

Publication number: CN108259438A
Application number: CN201611248779.4A
Authority: CN
Inventors: 邹能人
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Suzhou Software Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Suzhou Software Technology Co Ltd
Priority date: 2016-12-29
Filing date: 2016-12-29
Publication date: 2018-07-06
Anticipated expiration: 2036-12-29
Also published as: CN108259438B

Abstract

The embodiment of the present invention discloses an authentication method based on blockchain technology, including: acquiring the authorization identity information of each initial application program using cloud services, establishing a blockchain based on the acquired identity information, and establishing a block chain The block chain includes a block that stores the identification information of the corresponding authorized identity information; obtains the authorized identity information of the new application program using the cloud service; When i pieces of identity information meet the preset authentication conditions, generate a block for storing the identification information of the authorization identity information of the new application, add the generated block to the corresponding block chain, and obtain a new block chain; obtain the block corresponding to the new application in the new block chain, and log in the new application based on the information stored in the obtained block. The embodiment of the invention also discloses an authentication device based on block chain technology.

Description

A method and device for authentication based on block chain technology

技术领域technical field

本发明涉及计算机技术领域，尤其涉及一种基于区块链技术的认证的方法和装置。The present invention relates to the field of computer technology, in particular to an authentication method and device based on block chain technology.

背景技术Background technique

平台即服务(Platform-as-a-Service，PaaS)是把服务器平台作为一种服务提供的模式，PaaS是云计算的一种模式，PaaS为开发的应用程序(Application，App)提供运行平台，其中平台提供的服务也包括身份认证服务。在云计算时代身份信息日益繁多，身份认证安全性问题也愈发突出。因此，为了解决身份认证安全性问题提出了一种PaaS环境下的身份认证模型，该模型使PaaS云服务提供商为其上的应用程序提供高效灵活的身份认证服务。该模型的优势在于以低代价满足同一开发者开发多个相对独立的，但却又相同或相近身份认证的需求；兼容本地身份以及代表联合身份认证趋势的OpenID身份，并具有很好的扩展性以兼容更多类别的身份。Platform as a Service (Platform-as-a-Service, PaaS) is a model that provides a server platform as a service. PaaS is a model of cloud computing. PaaS provides a running platform for the developed application (Application, App). The services provided by the platform also include identity authentication services. In the era of cloud computing, identity information is becoming more and more numerous, and identity authentication security issues are becoming more and more prominent. Therefore, in order to solve the problem of identity authentication security, an identity authentication model in PaaS environment is proposed, which enables PaaS cloud service providers to provide efficient and flexible identity authentication services for their applications. The advantage of this model is that it meets the needs of the same developer to develop multiple relatively independent but identical or similar identity authentications at a low cost; it is compatible with local identities and OpenID identities representing the trend of federated identity authentication, and has good scalability To be compatible with more categories of identity.

开放授权(Open Authorization，Oauth)是一种开放标准，其允许第三方应用程序在用户能够授权的前提下访问用户在服务上存储的各种信息，而这种授权无需将用户名与密码提供给第三方应用。Open Authorization (Oauth) is an open standard that allows third-party applications to access various information stored on the service under the premise that the user can authorize, and this authorization does not need to provide the user name and password to the third-party usage.

OpenID是一种广泛应用于云计算中的去中心化的身份认证技术，OpenID为用户以一个身份在多个云服务中通行提供了一种方式，也解决了因遗失在云提供商处注册的云身份凭证而不能登录的问题。但是，OpenID也频繁暴露出诸多安全性漏洞，如：用户以OpenID身份登录云服务后却不能访问该用户的云身份拥有的资源，OpenID技术也没有对请求身份信息的云服务进行认证与细粒度授权。因此，在构建PaaS平台的身份认证模型时存在以下问题：OpenID is a decentralized identity authentication technology widely used in cloud computing. OpenID provides a way for users to pass through multiple cloud services with one identity, and also solves the problem of losing registration with cloud providers. The problem of not being able to log in due to cloud identity credentials. However, OpenID also frequently exposes many security vulnerabilities. For example, after a user logs in to a cloud service with an OpenID identity, he cannot access the resources owned by the user's cloud identity. authorized. Therefore, the following problems exist when constructing the identity authentication model of the PaaS platform:

OpenID技术安全性问题，例如：存在“网络钓鱼”(即电子欺诈)现象，用户在登录到一个号称支持OpenID的网站时，可能会把输入的用户名和密码送到欺诈网页；OpenID依赖于路由到互联网上正确机器的统一资源定位符(Uniform Resource Locator，URL)标识，而这又依赖于进行网络地址映射的域名解析系统，众所周知，域名解析系统本身就存在安全隐患。OpenID technology security issues, for example: there is "phishing" (that is, electronic fraud), when users log in to a website that claims to support OpenID, they may send the entered user name and password to a fraudulent webpage; OpenID relies on routing to The uniform resource locator (Uniform Resource Locator, URL) identification of the correct machine on the Internet depends on the domain name resolution system for network address mapping. As we all know, the domain name resolution system itself has security risks.

发明内容Contents of the invention

为解决上述技术问题，本发明实施例期望提供一种基于区块链技术的认证的方法和装置，保证了在PaaS平台上身份认证的安全性。In order to solve the above technical problems, the embodiment of the present invention expects to provide a blockchain technology-based authentication method and device, which ensures the security of identity authentication on the PaaS platform.

本发明的技术方案是这样实现的：Technical scheme of the present invention is realized like this:

本发明实施例提供了一种基于区块链技术的认证的方法，包括：The embodiment of the present invention provides a method for authentication based on block chain technology, including:

获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块；Obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information, and the established block chain includes a block that stores the identification information of the corresponding authorization identity information;

获得使用云服务的新的应用程序的授权身份信息；Obtain authorization identity information for new applications using cloud services;

所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数；When the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet the preset authentication conditions, generate an area for storing the identification information of the authorization identity information of the new application Block, after adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained, i takes an integer from 1 to n, and n represents the number of identity information obtained;

在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。When it is determined that the cloud service needs to be used to log in the new application, obtain the block corresponding to the new application in the new block chain, and log in the new application based on the information stored in the obtained block. s application.

上述方案中，在获得使用云服务的新的应用程序的授权身份信息后，所述方法还包括：按照预设的相似度计算方法，计算所述使用云服务的新的应用程序的授权身份信息和所获取的每个身份信息的相似度；In the above scheme, after obtaining the authorization identity information of the new application program using the cloud service, the method further includes: calculating the authorization identity information of the new application program using the cloud service according to a preset similarity calculation method The similarity with each identity information obtained;

所述预设的认证条件包括：所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息的相似度大于相似度阈值。The preset authentication condition includes: the similarity between the authorized identity information of the new application program using the cloud service and the acquired i-th identity information is greater than a similarity threshold.

上述方案中，所述预设的认证条件还包括：所述使用云服务的新的应用程序的授权身份信息通过用户验证。In the above solution, the preset authentication condition further includes: the authorization identity information of the new application program using the cloud service passes the user verification.

上述方案中，所述新的应用程序的授权身份信息包括以下至少一种信息：用户名、邮箱、联系方式、年龄、职业。In the above solution, the authorization identity information of the new application program includes at least one of the following information: user name, email address, contact information, age, and occupation.

上述方案中，所述新的应用程序的授权身份信息的标识信息为：所述新的应用程序的授权身份信息中的部分信息。In the above solution, the identification information of the authorization identity information of the new application program is: part of the information in the authorization identity information of the new application program.

上述方案中，所述方法还包括：为使用云服务的每个应用程序设置访问权限信息，所述访问权限信息用于指示是否允许使用对应应用程序的必须授权资源，和/或用于指示是否允许使用对应应用程序的非必须授权资源，所述对应应用程序的必须授权资源是为确保对应应用程序运行而必须使用的云服务的资源。In the above solution, the method further includes: setting access permission information for each application program using the cloud service, the access permission information is used to indicate whether to allow the use of the necessary authorized resources of the corresponding application program, and/or to indicate whether to It is allowed to use non-essentially authorized resources of the corresponding application program, and the required authorized resources of the corresponding application program are resources of the cloud service that must be used to ensure the operation of the corresponding application program.

本发明实施例还提供了一种基于区块链技术的认证的装置，所述装置包括：建立模块、获取模块、认证模块和登录模块；其中，The embodiment of the present invention also provides an authentication device based on blockchain technology, the device includes: an establishment module, an acquisition module, an authentication module and a login module; wherein,

建立模块，用于获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块；A building module is used to obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information. block;

获取模块，用于获得使用云服务的新的应用程序的授权身份信息；An obtaining module, used to obtain authorization identity information of a new application program using cloud services;

认证模块，用于在所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数；An authentication module, configured to generate an authorization identity for storing the new application when the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet a preset authentication condition After adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained. i takes an integer from 1 to n, and n represents the obtained the number of identity information;

登录模块，用于在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。A login module, configured to obtain a block corresponding to the new application in the new blockchain when it is determined that the new application needs to be logged in using cloud services, based on the Information to log in to the new application.

上述方案中，所述认证模块，还用于按照预设的相似度计算方法，计算所述使用云服务的新的应用程序的授权身份信息和所获取的每个身份信息的相似度；In the above solution, the authentication module is further configured to calculate the similarity between the authorized identity information of the new application using the cloud service and each of the acquired identity information according to a preset similarity calculation method;

上述方案中，所述装置还包括：授权模块；所述授权模块，用于为使用云服务的每个应用程序设置访问权限信息，所述访问权限信息用于指示是否允许使用对应应用程序的必须授权资源，和/或用于指示是否允许使用对应应用程序的非必须授权资源，所述对应应用程序的必须授权资源是为确保对应应用程序运行而必须使用的云服务的资源。In the above solution, the device further includes: an authorization module; the authorization module is configured to set access rights information for each application program using the cloud service, and the access rights information is used to indicate whether the corresponding application program is allowed to use Authorized resources, and/or used to indicate whether to allow the use of non-essential authorized resources of the corresponding application program, and the required authorized resources of the corresponding application program are resources of the cloud service that must be used to ensure the operation of the corresponding application program.

本发明实施例中，获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块；获得使用云服务的新的应用程序的授权身份信息；所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数；在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。如此，保证了在PaaS平台上身份认证的安全性。In the embodiment of the present invention, the authorization identity information of each initial application program using the cloud service is obtained, and a block chain is established based on the obtained identity information, and the established block chain includes an identification information storing corresponding authorization identity information block; obtain the authorization identity information of the new application program using the cloud service; when the authorization identity information of the new application program using the cloud service and the acquired i-th identity information meet the preset authentication conditions, generate A block used to store the identification information of the authorization identity information of the new application program, after adding the generated block to the block chain corresponding to the obtained i-th identity information, a new block chain is obtained, i Take an integer from 1 to n, where n represents the number of identity information obtained; when it is determined that the new application needs to be logged in using cloud services, obtain the information corresponding to the new application in the new block chain and register the new application program based on the information stored in the acquired block. In this way, the security of identity authentication on the PaaS platform is guaranteed.

附图说明Description of drawings

图1为本发明实施例中区块链的基本结构示意图；Fig. 1 is a schematic diagram of the basic structure of the block chain in the embodiment of the present invention;

图2为本发明基于区块链技术的认证的方法的第一实施例的流程图；Fig. 2 is the flowchart of the first embodiment of the authentication method based on block chain technology of the present invention;

图3为本发明实施例中基于区块链技术的授权过程示意图；Fig. 3 is a schematic diagram of an authorization process based on blockchain technology in an embodiment of the present invention;

图4为本发明实施例中基于区块链技术的鉴权过程示意图；4 is a schematic diagram of an authentication process based on blockchain technology in an embodiment of the present invention;

图5为本发明基于区块链技术的认证的方法的第二实施例的流程图；Fig. 5 is the flowchart of the second embodiment of the authentication method based on block chain technology of the present invention;

图6为本发明基于区块链技术的认证的方法的第三实施例的流程图；Fig. 6 is the flowchart of the third embodiment of the authentication method based on block chain technology of the present invention;

图7为本发明实施例基于区块链技术的认证的装置的组成结构示意图。FIG. 7 is a schematic diagram of the composition and structure of an authentication device based on blockchain technology according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention.

区块链技术blockchain technology

区块链(Block chain)也被称之为分布式账本，是一种互联网数据库技术，通过去中心化、去信任集体维护一个可靠的数据库的技术方案。区块链这种去中心化的分布式结构体系的特点，可以让每一个节点在参与记录的同时也来验证其他节点记录数据的正确性。每个节点都是对等的，节点之间都是数据公开的。Blockchain (Block chain), also known as distributed ledger, is an Internet database technology that maintains a reliable database technical solution through decentralization and trustless collectives. The characteristics of the decentralized distributed structure of the blockchain allow each node to verify the correctness of the data recorded by other nodes while participating in the record. Each node is peer-to-peer, and data is public between nodes.

区块链是比特币系统的核心技术，由中本聪2008年发表的比特币论文中首次提出。采用区块链的目的是为了实现比特币系统需要的去中心化的支付系统。这样的系统需要解决交易双方信任问题、双重支付问题、拜占庭将军问题。为了达成这样的目标，中本聪在论文中从交易模式、工作量证明、网络体系、奖励机制、验证模式等方面进行了介绍。Blockchain is the core technology of the Bitcoin system, which was first proposed in the Bitcoin paper published by Satoshi Nakamoto in 2008. The purpose of adopting the blockchain is to realize the decentralized payment system required by the Bitcoin system. Such a system needs to solve the trust problem between the two parties in the transaction, the double payment problem, and the Byzantine general problem. In order to achieve such a goal, Satoshi Nakamoto introduced the transaction model, proof of work, network system, reward mechanism, verification model and other aspects in the paper.

中本聪的论文侧重介绍了比特币对区块链的描述是为了实现比特币系统，因此对于区块链技术体系本身的描述并不是很清晰。后来的研究者对区块链技术体系进行了更深入的研究。袁勇，王飞跃在一篇区块链综述文章中详细介绍了区块链的技术体系。区块链包含了从底层数据结构到共识机制到顶层应用协议的众多内容，各部分内容功能不同，因此采用层次化的结构介绍各部分内容。Satoshi Nakamoto's paper focuses on the introduction of Bitcoin's description of the blockchain to realize the Bitcoin system, so the description of the blockchain technology system itself is not very clear. Later researchers conducted more in-depth research on the blockchain technology system. Yuan Yong and Wang Feiyue introduced the technical system of blockchain in detail in a blockchain overview article. The blockchain contains many contents from the underlying data structure to the consensus mechanism to the top-level application protocol. The functions of each part are different, so a hierarchical structure is used to introduce the contents of each part.

图1为本发明实施例中区块链的基本结构示意图，如图1所示，区块链基本结构分为6层，包括：数据层、网络层、共识层、激励层、合约层、应用层。每层分别完成一项核心功能，各层之间互相配合，实现一个去中心化的信任机制。Figure 1 is a schematic diagram of the basic structure of the blockchain in the embodiment of the present invention. As shown in Figure 1, the basic structure of the blockchain is divided into 6 layers, including: data layer, network layer, consensus layer, incentive layer, contract layer, application Floor. Each layer completes a core function respectively, and each layer cooperates with each other to realize a decentralized trust mechanism.

其中，应用层包括：可编程货比、可编程金融和可编程社会；合约层包括：脚本代码、算法机制和合约机制；激励层包括：发行机制和分配机制；共识层包括：工作量证明(Proof of Work，PoW)，权益证明(Proof of Stake，PoS))，股份授权证明(Delegate Proofof Stake，DPoS)等。Among them, the application layer includes: programmable goods comparison, programmable finance and programmable society; the contract layer includes: script code, algorithm mechanism and contract mechanism; the incentive layer includes: issuance mechanism and distribution mechanism; the consensus layer includes: workload proof ( Proof of Work (PoW), Proof of Stake (PoS)), Delegate Proof of Stake (DPoS), etc.

数据层和网络层用于实现区块链的主要功能，数据层主要描述区块链技术的物理形式包括：数据区块、链式结构、时间戳、哈希函数、Merkle树、加密算法等。而区块链包含了两个主要特点：数据区块和链式结构。区块链技术的物理实现是一个由多个规格相同的区块通过链式结构依次连接组成的链条。链条中首个区块成为创世区块，是由系统设计人员建立，创世区块建立之后根据建立规则，区块链网络中的节点产生新的区块，并在经过验证后，将新区块链接在主链条上。随着系统运行时间的延续，主链条会不断延长。例如比特币区块链的主链条截止到2016年6月8日已经有415291个区块，这些区块中包含具体应用需要记载的信息，如比特币区块链中存储交易信息。而为了保证每一个区块的安全，在现有的技术中采用诸多技术，如：时间戳技术确保每一个区块按照时序链接，哈希函数确保交易信息不被篡改，merkle树记录具体的交易信息，非对称加密实现身份认证等。需要说明的是，上述区块链结构只是一种基本格式，针对不同的应用环境可以对区块链进行适应性的改变。The data layer and the network layer are used to realize the main functions of the blockchain. The data layer mainly describes the physical form of the blockchain technology, including: data blocks, chain structures, timestamps, hash functions, Merkle trees, encryption algorithms, etc. The blockchain contains two main features: data block and chain structure. The physical realization of blockchain technology is a chain composed of multiple blocks with the same specifications connected sequentially through a chain structure. The first block in the chain becomes the genesis block, which is established by the system designer. After the genesis block is established, according to the establishment rules, the nodes in the blockchain network generate new blocks, and after verification, the new block Blocks are linked on the main chain. As the system runs longer, the main chain will continue to extend. For example, the main chain of the Bitcoin blockchain has 415,291 blocks as of June 8, 2016. These blocks contain information that needs to be recorded for specific applications, such as storing transaction information in the Bitcoin blockchain. In order to ensure the security of each block, many technologies are used in existing technologies, such as: time stamp technology to ensure that each block is linked in time sequence, hash function to ensure that transaction information is not tampered with, and merkle tree to record specific transactions Information, asymmetric encryption to achieve identity authentication, etc. It should be noted that the above blockchain structure is only a basic format, and the blockchain can be adaptively changed for different application environments.

区块链中每一个区块可以包括：区块头和区块体。区块是按时间顺序一个一个先后生成的，每一个区块记录下它在被创建期间发生的所有交易信息，所有区块汇总起来形成一个记录全部交易信息的集合。Each block in the blockchain can include: a block header and a block body. Blocks are generated one by one in chronological order, and each block records all transaction information that occurred during its creation, and all blocks are aggregated to form a set that records all transaction information.

网络层的主要目的是实现区块链网络中节点之间的信息交流，包括：P2P网络、传播机制和验证机制等。区块链网络本质上是一个对等网络(Peer-to-Peer Networking，P2P)，每一个节点既接收信息，也产生信息。节点之间通过维护一个共同的区块链来保持通信。在区块链网络中，每一个节点都是公平的，都可以创造新的区块，节点创造新的区块后，通过广播的形式发送给其他节点，其他节点会对区块信息进行验证，只有至少51％的用户对新区块验证通过后，这个新区块才被认可，网络中的节点再将此区块链接到主链表上。具体的区块验证的方法取决于实际应用中各个节点建立的验证机制。The main purpose of the network layer is to realize information exchange between nodes in the blockchain network, including: P2P network, propagation mechanism and verification mechanism, etc. The blockchain network is essentially a peer-to-peer network (Peer-to-Peer Networking, P2P), each node not only receives information, but also generates information. Nodes maintain communication by maintaining a common blockchain. In the blockchain network, every node is fair and can create a new block. After the node creates a new block, it sends it to other nodes in the form of broadcast, and other nodes will verify the block information. Only after at least 51% of users pass the verification of the new block, the new block will be approved, and the nodes in the network will link this block to the main chain list. The specific block verification method depends on the verification mechanism established by each node in the actual application.

本发明实施例是基于上述区块链底层(即数据层和网络层)技术来实现PaaS平台上的身份认证。The embodiment of the present invention realizes the identity authentication on the PaaS platform based on the bottom layer (ie data layer and network layer) technology of the above-mentioned block chain.

第一实施例first embodiment

图2为本发明基于区块链技术的认证的方法的第一实施例的流程图，如图2所示，该方法包括：Fig. 2 is the flowchart of the first embodiment of the method of authentication based on block chain technology of the present invention, as shown in Fig. 2, this method comprises:

步骤200：获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块。Step 200: Obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information. The established block chain includes a block storing the identification information of the corresponding authorization identity information .

本步骤中，每个初始应用程序的授权身份信息包括以下至少一种信息：用户名、邮箱、联系方式、年龄、职业等。In this step, the authorization identity information of each initial application program includes at least one of the following information: user name, email address, contact information, age, occupation, and so on.

在实际应用中，用户在使用应用程序时，通常需要使用个人身份信息进行账号注册，在账号注册时通常需要输入用户名、邮箱、联系方式、年龄或职业等个人身份信息，且同一个用户在多个应用中的身份信息存在很大的相似性。因此可以通过身份信息相似性原理发现用户注册的所有应用程序的身份信息，并将同一用户在不同应用程序中注册的身份信息联合起来建立用户身份信息区块链，其中每一个区块中保存着用户登录应用程序时需要的授权信息对应的标识信息。这里，标识信息用于在授权信息通过认证后登录对应的应用程序。In practical applications, users usually need to use personally identifiable information to register an account when using an application. When registering an account, they usually need to enter personal identifiable information such as user name, email address, contact information, age or occupation, and the same user is in the There is great similarity in identity information in multiple applications. Therefore, the identity information of all applications registered by the user can be found through the principle of identity information similarity, and the identity information registered by the same user in different applications can be combined to establish a user identity information block chain, in which each block saves The identification information corresponding to the authorization information required when the user logs in to the application. Here, the identification information is used to log in the corresponding application program after the authorization information is authenticated.

步骤201：获得使用云服务的新的应用程序的授权身份信息。Step 201: Obtain authorization identity information of a new application program using cloud services.

以在PaaS平台上实现Oauth2协议为例，当用户第一次使用Oauth2登录云服务中新的应用程序时需要进行身份发现和联合操作，此操作发生在用户授权该新的应用程序的身份信息之后，Oauth2服务通过将授权的身份信息发送给云服务执行身份信息的发现和联合操作。Taking the implementation of the Oauth2 protocol on the PaaS platform as an example, when the user first uses Oauth2 to log in to a new application in the cloud service, identity discovery and federation operations are required. This operation occurs after the user authorizes the identity information of the new application. , the Oauth2 service performs identity information discovery and federation operations by sending authorized identity information to the cloud service.

步骤202：所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数。Step 202: When the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet the preset authentication conditions, generate an identifier for storing the authorization identity information of the new application After adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained, where i takes an integer from 1 to n, and n represents the number of the obtained identity information number.

在获得使用云服务的新的应用程序的授权身份信息后，还包括：按照预设的相似度计算方法，计算所述使用云服务的新的应用程序的授权身份信息和所获取的每个身份信息的相似度。After obtaining the authorized identity information of the new application program using the cloud service, it also includes: calculating the authorized identity information of the new application program using the cloud service and each acquired identity according to the preset similarity calculation method information similarity.

预设的认证条件可以包括：所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息的相似度大于相似度阈值。The preset authentication condition may include: the similarity between the authorized identity information of the new application program using the cloud service and the acquired i-th identity information is greater than a similarity threshold.

在实际实施时，预设的认证条件还可以包括：所述使用云服务的新的应用程序的授权身份信息通过用户验证。In actual implementation, the preset authentication condition may also include: the authorization identity information of the new application program using the cloud service passes the user verification.

示例性的，预设的相似度计算方法可以是通过统计授权身份信息与云服务中每个身份信息具有相同信息的数目来得到相似度，例如，设置相同信息数用于表示授权身份信息的相似度，初始化时将相同信息数置为0，当用户名、密码、手机号码、邮箱或昵称等任一个信息相同时，相同信息数加1。在计算完授权身份信息与获取的所有身份信息的相似度后，判断授权身份信息与云服务中获取的第i个身份信息的相同信息数的值是否大于相似度阈值，如果是，生成用于存储新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后。Exemplarily, the preset similarity calculation method may be to obtain the similarity by counting the number of identical information between the authorized identity information and each identity information in the cloud service, for example, setting the number of identical information to represent the similarity of the authorized identity information When initializing, the number of identical information is set to 0. When any information such as user name, password, mobile phone number, email address or nickname is the same, the number of identical information is increased by 1. After calculating the similarity between the authorized identity information and all the acquired identity information, it is judged whether the value of the same number of information between the authorized identity information and the i-th identity information obtained in the cloud service is greater than the similarity threshold, and if so, generate A block that stores the identification information of the authorization identity information of the new application program, and the generated block is added to the block chain corresponding to the acquired i-th identity information.

新的应用程序的授权身份信息的标识信息为：新的应用程序的授权身份信息中的部分信息。The identification information of the authorization identity information of the new application program is: part of the information in the authorization identity information of the new application program.

示例性的，在授权身份信息包括：用户名、邮箱、联系方式时，可以将用户名作为该应用程序身份信息的标识信息，将用户名存储到该应用程序对应区块中。Exemplarily, when the authorized identity information includes: user name, email address, and contact information, the user name can be used as the identification information of the application program identity information, and the user name can be stored in the corresponding block of the application program.

步骤203：在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。Step 203: When it is determined that the cloud service needs to be used to log in the new application, obtain the block corresponding to the new application in the new blockchain, and log in based on the information stored in the obtained block The new application.

本步骤中，在身份信息联合完成后，即新的区块链创建完成后，用户可以直接使用区块中保存的标识信息访问云服务上对应的应用程序的资源。In this step, after the identity information association is completed, that is, after the new block chain is created, the user can directly use the identification information stored in the block to access the resources of the corresponding application program on the cloud service.

本发明实施例还可以包括：为使用云服务的每个应用程序设置访问权限信息，所述访问权限信息用于指示是否允许使用对应应用程序的必须授权资源，和/或用于指示是否允许使用对应应用程序的非必须授权资源，所述对应应用程序的必须授权资源是为确保对应应用程序运行而必须使用的云服务的资源。如此，实现了细粒度的授权以提高PaaS平台的自适应性。The embodiment of the present invention may also include: setting access permission information for each application program using the cloud service, the access permission information is used to indicate whether to allow the use of the necessary authorized resources of the corresponding application program, and/or to indicate whether to allow the use of The non-essential authorization resources corresponding to the application program are the resources of the cloud service that must be used to ensure the operation of the corresponding application program. In this way, fine-grained authorization is realized to improve the adaptability of the PaaS platform.

本发明实施例，实现了同一个用户在云服务中所有身份信息的联合，实现多重身份认证，保证身份认证的安全性和可靠性，而在现有技术中Oauth2协议并没有对云服务中多种身份信息进行联合。The embodiment of the present invention realizes the union of all identity information of the same user in the cloud service, realizes multiple identity authentication, and ensures the security and reliability of identity authentication. However, in the prior art, the Oauth2 protocol does not support multiple identity information in the cloud service. A combination of identity information.

图3为本发明实施例中基于区块链技术的授权过程示意图，如图3所示，用户在获得第三方应用程序注册的身份信息后，首先PaaS平台对第三方应用程序授权的身份信息进行数字签名，具体的，PaaS平台对授权身份信息进行数字签名，再将数字签名送入到安全哈希算法(Secure Hash Algorithm，SHA)校验器进行加密生成校验码，PaaS平台为生成的校验码创建对应的区块，并将校验码保存到新的区块中，PaaS平台对创建的新的区块进行认证授权，验证区块信息，当区块验证通过后将该区块添加到对应的区块链中，完成用户身份信息的授权认证。Figure 3 is a schematic diagram of the authorization process based on blockchain technology in the embodiment of the present invention. As shown in Figure 3, after the user obtains the identity information registered by the third-party application program, the PaaS platform first performs the authorization process on the identity information authorized by the third-party application program. Digital signature, specifically, the PaaS platform digitally signs the authorized identity information, and then sends the digital signature to the Secure Hash Algorithm (SHA) verifier for encryption to generate a verification code. Verify the code to create the corresponding block, and save the verification code in the new block. The PaaS platform will authenticate and authorize the created new block, verify the block information, and add the block after the block verification is passed. Go to the corresponding blockchain to complete the authorization and authentication of user identity information.

图4为本发明实施例中基于区块链技术的鉴权过程示意图，如图4所示，用户通过第三方应用程序发出鉴权请求，该鉴权请求通过P2P网络传播到云服务后，PaaS平台通过对应区块链中保存的验证码信息对鉴权请求进行验证，并且将验证结果通过P2P网络进行传播，当鉴权请求信息与区块链中保存的验证码信息相匹配时，第三方应用程序直接访问云服务对应的数据存储空间，并获取授权资源。Figure 4 is a schematic diagram of the authentication process based on blockchain technology in the embodiment of the present invention. As shown in Figure 4, the user sends an authentication request through a third-party application program, and after the authentication request is propagated to the cloud service through the P2P network, the PaaS The platform verifies the authentication request through the verification code information stored in the corresponding blockchain, and spreads the verification result through the P2P network. When the authentication request information matches the verification code information stored in the blockchain, the third party The application directly accesses the data storage space corresponding to the cloud service and obtains authorized resources.

本发明实施例中，获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块；获得使用云服务的新的应用程序的授权身份信息；所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数；在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。如此，保证了在PaaS平台上身份认证的安全性，实现了细粒度的授权以提高PaaS平台的自适应性。In the embodiment of the present invention, the authorization identity information of each initial application program using the cloud service is obtained, and a block chain is established based on the obtained identity information, and the established block chain includes an identification information storing corresponding authorization identity information block; obtain the authorization identity information of the new application program using the cloud service; when the authorization identity information of the new application program using the cloud service and the acquired i-th identity information meet the preset authentication conditions, generate A block used to store the identification information of the authorization identity information of the new application program, after adding the generated block to the block chain corresponding to the obtained i-th identity information, a new block chain is obtained, i Take an integer from 1 to n, where n represents the number of identity information obtained; when it is determined that the new application needs to be logged in using cloud services, obtain the information corresponding to the new application in the new block chain and register the new application program based on the information stored in the acquired block. In this way, the security of identity authentication on the PaaS platform is guaranteed, and fine-grained authorization is realized to improve the adaptability of the PaaS platform.

第二实施例second embodiment

为了能更加体现本发明的目的，在本发明第一实施例的基础上，进行进一步的举例说明。In order to better reflect the purpose of the present invention, further illustrations are made on the basis of the first embodiment of the present invention.

图5为本发明基于区块链技术的认证的方法的第二实施例的流程图，如图5所示，该方法包括：Fig. 5 is the flowchart of the second embodiment of the authentication method based on block chain technology of the present invention, as shown in Fig. 5, the method includes:

步骤500：利用用户授权的所有应用程序的身份信息建立对应的区块链。Step 500: Use the identity information of all applications authorized by the user to establish a corresponding blockchain.

可以理解的是，在同一个用户使用相似的身份信息注册多个不同的应用程序时，可以利用每一个应用程序注册的身份信息建立用户对应的应用程序授权信息区块链。It can be understood that when the same user registers multiple different applications with similar identity information, the identity information registered by each application can be used to establish a blockchain of application authorization information corresponding to the user.

步骤501：获得新的应用程序的授权身份信息。Step 501: Obtain authorization identity information of a new application program.

当用户再次使用相似身份信息注册一个新的应用程序时，获取这个新的身份信息并执行身份发现与联合操作。When the user registers a new application with similar identity information again, obtain the new identity information and perform identity discovery and federation operations.

步骤502：计算新的授权身份信息与云服务中已经授权的身份信息的相似度。Step 502: Calculate the similarity between the new authorized identity information and the already authorized identity information in the cloud service.

可选的，首先获取云服务中与新的授权身份信息相似的所有已经授权的身份信息，具体地，获取的已经授权的身份信息包含至少一项信息与新的授权身份信息相同的信息，例如，用户名、邮箱或电话等；其次计算新的授权身份信息与获取的第i个已经授权的身份信息的相似度，相似度越高新的授权身份信息与已授权身份信息来自同一个用户的可能性越大，如果确定是同一个用户便可以将不同授权身份信息联合在一起建立用户的身份信息区块链。Optionally, first obtain all authorized identity information similar to the new authorized identity information in the cloud service, specifically, the obtained authorized identity information contains at least one piece of information that is the same as the new authorized identity information, for example , user name, email address or phone number, etc.; secondly, calculate the similarity between the new authorized identity information and the obtained i-th authorized identity information, the higher the similarity, the possibility that the new authorized identity information and the authorized identity information come from the same user The greater the reliability, if it is determined to be the same user, different authorized identity information can be combined to establish the user's identity information blockchain.

步骤503：判断相似度是否大于相似度阈值，如果是，执行步骤504；如果否，执行步骤507。Step 503: Determine whether the similarity is greater than the similarity threshold, if yes, execute step 504; if not, execute step 507.

步骤504：生成用于存储新的应用程序的授权身份信息的标识信息的区块。Step 504: Generate a block for storing the identification information of the authorization identity information of the new application program.

在相似度大于相似度阈值时，说明新的授权身份信息与云服务中已经授权的身份信息相关联，这些信息可能是来自于同一个用户对不同第三方应用程序的授权信息。此时可以将新的授权信息的部分信息作为标识信息存储到对应的区块中，这里为了保证用户个人隐私信息，部分信息可以是用户名或者其他非隐私信息；标识信息也可以是授权身份信息通过加密算法加密后生成的密文信息，常用的加密算法有：数字加密标准(DataEncryption Standard，DES)、国际数据加密算法(International Data EncryptionAlgorithm、IDEA)、公钥加密算法(Ron Rivest、Adi Shamir、Leonard Adleman，RSA)。标识信息还可以是授权身份信息进行哈希运算生成的摘要信息。When the similarity is greater than the similarity threshold, it means that the new authorized identity information is associated with the already authorized identity information in the cloud service, and the information may come from the same user's authorization information for different third-party applications. At this time, part of the new authorization information can be stored in the corresponding block as identification information. Here, in order to ensure the user's personal privacy information, part of the information can be user name or other non-private information; identification information can also be authorization identity information The ciphertext information generated by encryption algorithm encryption, commonly used encryption algorithms are: Digital Encryption Standard (Data Encryption Standard, DES), International Data Encryption Algorithm (International Data Encryption Algorithm, IDEA), public key encryption algorithm (Ron Rivest, Adi Shamir, Leonard Adleman, RSA). The identification information may also be summary information generated by hashing the authorized identity information.

步骤505：判断区块是否通过PaaS平台验证，如果是，执行步骤506；如果否，执行步骤507。Step 505: Determine whether the block has passed the verification of the PaaS platform, if yes, execute step 506; if not, execute step 507.

本步骤中，可以PaaS平台利用新生成的区块生成挑战响应并发送给对用户，用于确认所匹配的身份是否是该用户在云服务中的身份信息，如果是，确定该区块通过认证，如果否，该区块未通过认证，说明新的授权身份信息认证失败，此时按照现有的Oauth2协议执行身份认证服务。In this step, the PaaS platform can use the newly generated block to generate a challenge response and send it to the user to confirm whether the matched identity is the user’s identity information in the cloud service, and if so, determine that the block has passed the authentication , if not, the block has not passed the authentication, indicating that the authentication of the new authorized identity information fails, and at this time, the identity authentication service is performed according to the existing Oauth2 protocol.

步骤506：生成的区块添加到与所获取的第i身份信息对应的区块链后，完成PaaS平台的认证授权。Step 506: After the generated block is added to the block chain corresponding to the acquired i-th identity information, the authentication and authorization of the PaaS platform is completed.

具体地，在区块认证通过后通过P2P网络在PaaS平台上传播该区块，以更新该用户对应的身份信息区块链。Specifically, after the block authentication is passed, the block is propagated on the PaaS platform through the P2P network, so as to update the identity information block chain corresponding to the user.

步骤507：按照现有的Oauth2协议执行身份认证服务。Step 507: Perform identity authentication service according to the existing Oauth2 protocol.

在实际实施时，如果用户身份信息联合成功，用户在使用Oauth2访问云服务时，Oauth2服务可以不需要用户授权直接利用在区块中保存的标识信息云服务上的第三方应用程序，此时用户访问的云服务的数据空间实际上就是云服务中云身份对应的数据空间。如果身份联合失败，即没有找到相似的身份信息或用户确认失败，此时按照现有的Oauth2协议执行身份认证服务。In actual implementation, if the user identity information is successfully combined, when the user uses Oauth2 to access the cloud service, the Oauth2 service can directly use the third-party application program on the cloud service with the identification information stored in the block without user authorization. At this time, the user The data space of the accessed cloud service is actually the data space corresponding to the cloud identity in the cloud service. If the identity association fails, that is, no similar identity information is found or the user confirmation fails, the identity authentication service is performed according to the existing Oauth2 protocol.

在Oauth2协议中，由于云服务是通过验证Oauth2服务发送的用户Oauth2身份信息来认证用户，此时用户登录后所有的操作和数据都与此Oauth2身份关联起来，恶意攻击者可以利用该Oauth2身份标识检索该OpenID身份在不同云服务中的活动信息来刺探用户隐私，而这种攻击在社会化网络中尤为常见。In the Oauth2 protocol, since the cloud service authenticates the user by verifying the user's Oauth2 identity information sent by the Oauth2 service, all operations and data after the user logs in are associated with this Oauth2 identity, and malicious attackers can use this Oauth2 identity Retrieve the activity information of the OpenID identity in different cloud services to spy on user privacy, and this attack is especially common in social networks.

然而，在本发明实施例中，由于身份信息发现与联合的引入，使得在不需要用户输入所有授权身份信息情况下实现新的授权身份信息的自动联合，减轻了用户负担，也避免了因遗忘身份信息而导致的资源无法访问的问题。同时，在身份信息联合成功的情况下，由于Oauth2服务传送给第三方云服务的身份信息仅包括该用户登录应用程序的身份信息的标识信息，用户登录后所有的操作和数据仅显示与标识信息的关联，因此能够在一定程度上防止隐私刺探，保护了用户隐私。However, in the embodiment of the present invention, due to the introduction of identity information discovery and association, the automatic association of new authorized identity information is realized without the need for users to input all authorized identity information, which reduces the burden on users and avoids The problem of resource inaccessibility caused by identity information. At the same time, in the case of successful combination of identity information, since the identity information transmitted by the Oauth2 service to the third-party cloud service only includes the identification information of the user's login application identity information, all operations and data after the user login only display the identification information Therefore, it can prevent privacy spying to a certain extent and protect user privacy.

第三实施例third embodiment

图6为本发明基于区块链技术的认证的方法的第三实施例的流程图，如图6所示，在用户授权的身份信息得到认证后，用户便可以依据新建立的区块链中保存的授权信息直接访问云服务中对应的资源，并且对访问的资源进行细粒度授权，具体的执行过程可以如下：Fig. 6 is a flow chart of the third embodiment of the authentication method based on blockchain technology of the present invention. As shown in Fig. 6, after the identity information authorized by the user is authenticated, the user can The saved authorization information directly accesses the corresponding resources in the cloud service, and fine-grained authorization is performed on the accessed resources. The specific execution process can be as follows:

步骤600：对云服务中的每一个第三方应用程序的资源设置访问权限。Step 600: Set access rights to the resources of each third-party application program in the cloud service.

具体地，对Oauth2协议中用于指定请求资源的scope字段进行属性限制，当第三方应用程序发送访问请求时，先对scope中请求的资源标记上“必须授权”与“可选授权”的标签。其中，“必须授权”是指标记的资源的访问权限是不受限制的，“可选授权”是指标记的资源用户可以自由进行访问权限设置。Specifically, restrict the attributes of the scope field used to specify the requested resources in the Oauth2 protocol. When a third-party application sends an access request, it first marks the resources requested in the scope with the labels "must authorize" and "optionally authorize". . Among them, "required authorization" means that the access rights of marked resources are unlimited, and "optional authorization" means that users of marked resources can freely set access rights.

而现有技术中，第三方应用程序请求某云服务的资源时需要获得用户的授权，OAuth2协议通过在scope字段中指定一次性要访问的所有资源来发送请求。然而在大部分的OAuth实现中，用户只能对一次性请求的资源授权做出接受与拒绝的回应，而不能自由地去选择对特定的某个资源进行授权或取消授权。尤其是在身份信息授权过程中，如第三方云服务请求用户不愿授权的电话号码、地址等敏感信息时，用户由于要使用第三方应用程序的功能而无法拒绝，这严重降低了用户资源的安全性。因此本发明实施例，通过对访问的资源进行细粒度授权，保证了用户资源的安全性，提高了PaaS平台的自适应性。However, in the prior art, when a third-party application program requests a resource of a cloud service, it needs to obtain authorization from the user. The OAuth2 protocol sends the request by specifying all the resources to be accessed once in the scope field. However, in most OAuth implementations, the user can only accept or reject the one-time resource authorization request, but cannot freely choose to authorize or deauthorize a specific resource. Especially in the process of identity information authorization, when third-party cloud services request sensitive information such as phone numbers and addresses that users do not want to authorize, users cannot refuse because they want to use the functions of third-party applications, which seriously reduces the resource utilization of users. safety. Therefore, in the embodiment of the present invention, by performing fine-grained authorization on accessed resources, the security of user resources is ensured, and the adaptability of the PaaS platform is improved.

步骤601：第三方应用程序通过区块链中保存的授权信息直接访问第三应用程序在云服务中的数据空间。Step 601: The third-party application program directly accesses the data space of the third application program in the cloud service through the authorization information stored in the blockchain.

步骤602：用户对第三方应用程序请求访问的资源进行授权设置。Step 602: The user performs authorization settings for the resources requested to be accessed by the third-party application program.

示例性的，第三应用程序A向云服务发送访问资源请求，云服务根据第三方应用程序A在对应区块中保存的授权信息登录第三方应用程序，再将请求访问的资源信息发送给用户，用户对资源进行授权选择。用户对“必须授权”的资源只能选择接受授权，对“可选授权”的资源可以进行授权的灵活设置，例如，授权的次数，授权的时间，授权的对象等，也可以拒绝授权。对于“必须授权”的资源云服务可以直接进行授权无需提醒用户，对于“可选授权”的资源可提醒用户进行授权选择。通过对资源进行细粒度授权，即将资源划分为“必须授权”和“可选授权”，一方面确保了第三方应用程序的功能不受影响，另一方面也保护了用户的敏感资源。Exemplarily, the third application A sends a resource access request to the cloud service, and the cloud service logs in the third-party application according to the authorization information stored in the corresponding block by the third-party application A, and then sends the requested resource information to the user , the user authorizes the resource selection. The user can only choose to accept the authorization for the "required authorization" resources, and can flexibly set the authorization for the "optional authorization" resources, such as the number of authorization times, authorization time, authorized objects, etc., and can also refuse authorization. For "required authorization" resources, cloud services can directly authorize without reminding users, and for "optional authorization" resources, users can be reminded to make authorization choices. By fine-grained authorization of resources, that is, resources are divided into "required authorization" and "optional authorization", on the one hand, it ensures that the functions of third-party applications are not affected, and on the other hand, it also protects users' sensitive resources.

步骤603：第三方应用程序按照用户的授权设置访问云服务上用户授权的资源。Step 603: The third-party application program accesses the resources authorized by the user on the cloud service according to the authorization settings of the user.

具体地，对于“必须授权”的资源可无条件获取，对于“可选授权”的资源只有在授权条件成立时才可以获得，否则无法获得。Specifically, resources that are "must be authorized" can be obtained unconditionally, and resources that are "optionally authorized" can only be obtained when the authorization conditions are satisfied, otherwise they cannot be obtained.

第三实施例third embodiment

针对本发明实施例的方法，本发明实施例还提供了一种基于区块链技术的认证的装置。图7为本发明实施例基于区块链技术的认证的装置的组成结构示意图，如图7所示，该装置包括：建立模块700、获取模块701、认证模块702和登录模块703；其中，For the method of the embodiment of the present invention, the embodiment of the present invention also provides an authentication device based on block chain technology. FIG. 7 is a schematic diagram of the composition and structure of a device for authentication based on blockchain technology in an embodiment of the present invention. As shown in FIG. 7 , the device includes: an establishment module 700, an acquisition module 701, an authentication module 702, and a login module 703; wherein,

建立模块700，用于获取使用云服务的每个初始应用程序的授权身份信息，基于所获取的身份信息建立区块链，所建立的区块链包括一个存储有对应的授权身份信息的标识信息的区块；The establishment module 700 is used to obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information, and the established block chain includes an identification information storing corresponding authorization identity information block;

获取模块701，用于获得使用云服务的新的应用程序的授权身份信息；An obtaining module 701, configured to obtain authorization identity information of a new application program using cloud services;

认证模块702，用于在所述使用云服务的新的应用程序的授权身份信息和所获取的第i个身份信息满足预设的认证条件时，生成用于存储所述新的应用程序的授权身份信息的标识信息的区块，将生成的区块添加到与所获取的第i身份信息对应的区块链后，得到新的区块链，i取1至n的整数，n表示所获取的身份信息的个数；An authentication module 702, configured to generate an authorization for storing the new application when the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet a preset authentication condition The identification information block of the identity information, after adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained, i takes an integer from 1 to n, and n represents the obtained The number of identity information;

登录模块703，用于在确定需要利用云服务登录所述新的应用程序时，获取所述新的区块链中与所述新的应用程序对应的区块，基于所获取的区块中存储的信息登录所述新的应用程序。The login module 703 is configured to obtain a block corresponding to the new application in the new blockchain when it is determined that the new application needs to be logged in using cloud services, based on the blocks stored in the obtained block information to log into the new application.

优选地，认证模块702，还用于按照预设的相似度计算方法，计算所述使用云服务的新的应用程序的授权身份信息和所获取的每个身份信息的相似度；Preferably, the authentication module 702 is further configured to calculate the similarity between the authorization identity information of the new application using the cloud service and each of the acquired identity information according to a preset similarity calculation method;

预设的认证条件还可以包括：所述使用云服务的新的应用程序的授权身份信息通过用户验证。The preset authentication condition may also include: the authorization identity information of the new application program using the cloud service passes the user authentication.

可选的，新的应用程序的授权身份信息包括以下至少一种信息：用户名、邮箱、联系方式、年龄、职业。Optionally, the authorization identity information of the new application program includes at least one of the following information: user name, email address, contact information, age, and occupation.

优选地，新的应用程序的授权身份信息的标识信息为：新的应用程序的授权身份信息中的部分信息。Preferably, the identification information of the authorization identity information of the new application program is: part of the information in the authorization identity information of the new application program.

优选地，装置还可以包括：授权模块；所述授权模块，用于为使用云服务的每个应用程序设置访问权限信息，所述访问权限信息用于指示是否允许使用对应应用程序的必须授权资源，和/或用于指示是否允许使用对应应用程序的非必须授权资源，所述对应应用程序的必须授权资源是为确保对应应用程序运行而必须使用的云服务的资源。Preferably, the device may further include: an authorization module; the authorization module is configured to set access rights information for each application program using the cloud service, and the access rights information is used to indicate whether to allow the use of the necessary authorized resources of the corresponding application program , and/or used to indicate whether to allow use of non-essentially authorized resources of the corresponding application program, where the required authorized resources of the corresponding application program are resources of the cloud service that must be used to ensure the operation of the corresponding application program.

在实际应用中，建立模块700、获取模块701、认证模块702和登录模块703均可由位于终端设备中的中央处理器(Central Processing Unit，CPU)、微处理器(MicroProcessor Unit，MPU)、数字信号处理器(Digital Signal Processor，DSP)、或现场可编程门阵列(Field Programmable Gate Array，FPGA)等实现。In practical applications, the establishment module 700, the acquisition module 701, the authentication module 702 and the login module 703 can all be composed of a central processing unit (Central Processing Unit, CPU), a microprocessor (MicroProcessor Unit, MPU), digital signal Processor (Digital Signal Processor, DSP), or Field Programmable Gate Array (Field Programmable Gate Array, FPGA) and other implementations.

本领域内的技术人员应明白，本发明的实施例可提供为方法、系统、或计算机程序产品。因此，本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且，本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

以上所述，仅为本发明的较佳实施例而已，并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims

1. A method for authentication based on blockchain technology, characterized in that the method comprises:

Obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information, and the established block chain includes a block that stores the identification information of the corresponding authorization identity information;

Obtain authorization identity information for new applications using cloud services;

When the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet the preset authentication conditions, generate an area for storing the identification information of the authorization identity information of the new application Block, after adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained, i takes an integer from 1 to n, and n represents the number of identity information obtained;

When it is determined that the cloud service needs to be used to log in the new application, obtain the block corresponding to the new application in the new block chain, and log in the new application based on the information stored in the obtained block. s application.

2. The method according to claim 1, characterized in that, after obtaining the authorization identity information of the new application program using the cloud service, the method further comprises: calculating the usage The similarity between the authorization identity information of the new application program of the cloud service and each identity information obtained;

The preset authentication condition includes: the similarity between the authorized identity information of the new application program using the cloud service and the acquired i-th identity information is greater than a similarity threshold.

3. The method according to claim 2, wherein the preset authentication condition further comprises: the authorization identity information of the new application program using the cloud service passes user verification.

4. The method according to claim 1, wherein the authorization identity information of the new application program includes at least one of the following information: user name, email address, contact information, age, occupation.

5. The method according to claim 1, wherein the identification information of the authorization identity information of the new application program is: part of the information in the authorization identity information of the new application program.

6. The method according to claim 1, further comprising: setting access permission information for each application program using cloud services, the access permission information being used to indicate whether to allow the use of the corresponding application program Mandatory authorized resources, and/or used to indicate whether to allow the use of non-essentially authorized resources of the corresponding application program, said corresponding application program's required authorized resources are resources of the cloud service that must be used to ensure that the corresponding application program runs.

7. A device for authentication based on block chain technology, characterized in that the device includes: an establishment module, an acquisition module, an authentication module and a login module; wherein,

A building module is used to obtain the authorization identity information of each initial application program using the cloud service, and establish a block chain based on the obtained identity information. block;

An obtaining module, used to obtain authorization identity information of a new application program using cloud services;

An authentication module, configured to generate an authorization identity for storing the new application when the authorization identity information of the new application using the cloud service and the acquired i-th identity information meet a preset authentication condition After adding the generated block to the block chain corresponding to the i-th identity information obtained, a new block chain is obtained. i takes an integer from 1 to n, and n represents the obtained the number of identity information;

A login module, configured to obtain a block corresponding to the new application in the new blockchain when it is determined that the new application needs to be logged in using cloud services, based on the Information to log in to the new application.

8. The device according to claim 7, wherein the authentication module is further configured to calculate the authorization identity information of the new application using the cloud service and the acquired The similarity of each identity information of the

9. The device according to claim 8, wherein the preset authentication condition further comprises: the authorization identity information of the new application program using the cloud service passes user verification.

10. The device according to claim 7, wherein the authorization identity information of the new application program includes at least one of the following information: user name, email address, contact information, age, occupation.

11. The device according to claim 7, wherein the identification information of the authorization identity information of the new application program is: part of the information in the authorization identity information of the new application program.

12. The device according to claim 7, further comprising: an authorization module; the authorization module is configured to set access rights information for each application program using cloud services, the access rights information It is used to indicate whether to allow the use of the necessary authorization resources of the corresponding application program, and/or to indicate whether to allow the use of the non-essential authorization resources of the corresponding application program. The resources of the cloud service used.